Screenshot instructions:
Windows
Mac
Red Hat Linux
Ubuntu
Click URL instructions:
Right-click on ad, choose "Copy Link", then paste here →
(This may not be possible with some types of ads)
You can subscribe to this list here.
| 2007 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(4) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
|
From: David A. Wheeler <dwheeler@dw...> - 2017-09-03 21:53:11
|
Flawfinder 2.0.4 has just been released!
The ChangeLog and "git log" provide more detail.
People can now just use "pip install flawfinder" as another installation
approach ("make install" continues to work). We also have more tests.
We've switched from the older (semi-discouraged) distutils to setuptools to help do this.
The overall goal has been to make flawfinder "as easy as possible to install and use".
My hope is that system packagers will also package this version, so that people who
can only easily install from their system packages will also have access to it.
We now have 219 rules (*not* including the rules to estimate risk level).
Flawfinder is *not* a sophisticated tool. But a number of people have told me
that they find it useful. That's great! So here's an update that
I hope will keep it useful for many people.
--- David A. Wheeler
|
|
From: David A. Wheeler <dwheeler@dw...> - 2017-08-27 02:26:36
|
Flawfinder 2.0.2 released! This one runs on both Python 2.7 and Python 3. --- David A. Wheeler |
|
From: David A. Wheeler <dwheeler@dw...> - 2017-07-31 02:19:47
|
Flawfinder 2.0.0 has been released! It adds the ability to generate CSV files; just use: > flawfinder --csv FILES There have been a number of format cleanups, and some bug fixing, based on reports from the pylint static analyzer. A few more rules have been added, esp. involving random numbers. As you can tell from the version number, I've switched flawfinder to use semantic versioning. There's a new CONTRIBUTING.md file that explains how to contribute. A number of these changes (particularly CONTRIBUTING.md and the pylint issues) were made so that flawfinder could earn a CII best practices badge (and we have!): https://bestpractices.coreinfrastructure.org/projects/323 Enjoy! --- David A. Wheeler |
|
From: David A. Wheeler <dwheeler@dw...> - 2014-08-03 23:03:32
|
I've just released version 1.31 of flawfinder.
This is a set of small improvements, most of which are CWE-related.
* Note that flawfinder is officially CWE-compatible.
* Support GNU make install conventions (prefix, bindir, DESTDIR, etc.).
The older program-specific conventions are still supported, but
the documentation emphasizes using the standard conventions instead.
* Simplified installation text.
* Added more wide character function rules.
* Add reference to info at "http://www.dwheeler.com/secure-programs";.
* Document that hitlists should be trusted to be loaded or diffed.
These are implented using Python's pickle module, and that module
presumes the data is from a trustworthy source. In the expected
use case this is fine... but it needed to be documented.
* Tweak/improve mappings to CWE. E.G., strlen()
better maps to CWE-126 (buffer over-read). In a few cases the
CWE mappings weren't reported as such; that is now fixed.
CWEs are actually a hierarchy; expose a little of this so
people can more easily search on them.
* Improved error detection and reporting. In particular, error
messages are sent to standard errors, filenames listed but
non-existent trigger a separate warning, and there's a warning
about non-existent filenames listed on the command line that
begin with the UTF-8 long dash sequence (users might not notice
the difference between long dash and dash, and this can happen
in some cases when copying and pasting).
* Add "-H" option as synonym for "--html".
--- David A. Wheeler
|
|
From: David A. Wheeler <dwheeler@dw...> - 2014-07-27 21:51:30
|
The MITRE folks have agreed that flawfinder is CWE-compatible... so we may as well document that. It also improves the CWE mapping, and provides more CWE-related information. I've updated the next version number to be "1.31" (so it's not confused with 1.30). If anyone has last-minute comments, please let me know ASAP. Otherwise, the version in the git repo will soon become version 1.31. Sorry for the rapid-fire releases, but I think it'll be helpful. --- David A. Wheeler |
|
From: David A. Wheeler <dwheeler@dw...> - 2014-07-19 23:45:58
|
Now announcing... flawfinder version 1.29. I don't normally release updates only a week apart, but this update includes several improvements that I think some users may want right away (especially if you depend on CWE). The man page now includes much more information related to CWE. The output formats better than before, and if you generate HTML, the CWE identifiers now link to useful pages. The "--listrules" option now includes the default warning message, which provides much more information. I'm trying to make flawfinder officially CWE compatible, since I think that could help many users. I think using *multiple* tools is very valuable; CWE information (as well as filename+line number information) helps make it easier to use multiple tools. These changes should help flawfinder be CWE compatible & easier to use with other tools. --- David A. Wheeler |
|
From: David A. Wheeler <dwheeler@dw...> - 2014-07-13 19:41:47
|
Version 1.28 of flawfinder has been released!!
Changes include:
* Common Weakness Enumeration (CWE) references are
now included in most hits
* Handle files not ending in newline (thanks to Alexis Wilke)
* Documentation clarifications
* Added support for "git diff" in patchfile processing
* Handles unbalanced double-quotes in sprintf
* Fix incorrect time executed report
* Fix bug to allow "flawfinder ." (fix bug#3)
* Fix ignore directive when filenames differ (fix bug#6)
--- David A. Wheeler
|
|
From: David A. Wheeler <dwheeler@dw...> - 2014-07-12 16:41:05
|
I intend to release an updated flawfinder soon with several small improvements. If you want to try it out immediately, it's in the git repository at: https://sourceforge.net/p/flawfinder/code/ci/master/tree/ It resolves most of the previously-open tickets here: https://sourceforge.net/p/flawfinder/_list/tickets If there are other patches that should be added, or problems in the intended release, please let me know! Thanks! --- David A. Wheeler |
|
From: Mukesh Srivastava <srimks11@gm...> - 2008-08-14 00:37:43
|
Dear Flawfinder Developers. I am totally new with uses of Flawfinder(FF). Probably, with preliminary knowledge what I gain from FLAWFINDER, it seems that FLAWFINDER can track limited content of C APIs - strcpy(), strcat(), gets(), sprintf(), the scanf() family, format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()). I have few queries. (a) Can FLAWFINDER content of API database as mentioned above could be extended for having more C library contents? (b) If YES, can I know if there exists any document which discusses - How to make any enhancement for FLAWFINDER with it's original database C APIs? (c) It seems printf() API is not being analyzed by FF or not supported, any reason since other form of printf() like fprintf(), spintf() are supported? Looking forward. ~BR Mukesh K Srivastava |
|
From: Peter Teoh <htmldeveloper@gm...> - 2008-05-05 07:00:50
|
On 5/4/08, Sebastien Tandel <sebastien@...> wrote: > Hi, > > > First, I would like to use it for linux kernel..... > > next...i would like to learn more about this tool and contribute to > its further development... > > first....string overflow is easy.....but can flawfinder do integer overflow? > > David will correct me if I'm wrong but Flawfinder's aim is to detect > *potential dangerous C functions*. It is therefore not indicated (and > /useless/) to detect integer overflow. > Not sure what u mean....but integer overflow, sometimes difficult to exploit, but sometimes can lead to a even more powerful attack/compromise, as there are already a lot of antivirus with generic buffer overflow detection algorithm (eg, McAfee, and patented)....but integer overflow????i have not heard of....at least not from my friend at McAfee....:-).... > > > Regards, > Sebastien Tandel > > > > -- Regards, Peter Teoh |
|
From: Sebastien Tandel <sebastien@ta...> - 2008-05-03 23:36:39
|
Hi, > First, I would like to use it for linux kernel..... > > next...i would like to learn more about this tool and contribute to > its further development... > > first....string overflow is easy.....but can flawfinder do integer > overflow? David will correct me if I'm wrong but Flawfinder's aim is to detect *potential dangerous C functions*. It is therefore not indicated (and /useless/) to detect integer overflow. Regards, Sebastien Tandel |
|
From: Peter Teoh <htmldeveloper@gm...> - 2008-05-03 23:22:29
|
First, I would like to use it for linux kernel..... next...i would like to learn more about this tool and contribute to its further development... first....string overflow is easy.....but can flawfinder do integer overflow? thanks... -- Regards, Peter Teoh |
|
From: David A. Wheeler <dwheeler@dw...> - 2007-01-17 22:54:34
|
Welcome to "flawfinder-discuss", a mailing list for discussing the use and = improvement of flawfinder. If the traffic warrants it, we can split the us= ers and developers of flawfinder into separate lists, but right now there's= not enough traffic to warrant that. --- David A. Wheeler=20 |